How Wordfence handles Private Addresses

From Wordfence Documentation
Jump to: navigation, search

A private IP address is one that can't be used on the public Internet to provide a service to everyone else on the Internet. That means that you will never see packets arriving at your web server from these IP address ranges unless those packets originated on your internal network.

Wordfence gives special treatment to traffic arriving from private IP address ranges. We immediately whitelist that traffic because it is originating from your internal network and we don't want to block anything on your internal network that is trying to access your site.

What this means is that if Wordfence sees traffic originating from an internal IP address (or private IP address) it will not enforce the usual security mechanism like cellphone sign-in, brute force protection and lockout and so on. Remember that it is not possible for a hacker to attack your site from one of these IP addresses or any IP within these ranges because routers on the public Internet are configured to drop any traffic from these address ranges immediately. Traffic from these ranges is non-routable on the public Internet.

The main reason we are publishing this document is to highlight the importance that you configure Wordfence correctly. Wordfence must receive the correct IP address for a visitor because if it is not configured correctly and thinks a visitor originates from a private IP address, it will not enforce security for that visitor. The option you need to make sure you have set correctly in Wordfence is: How does Wordfence get IPs

Wordfence considers the following IP address ranges private and automatically whitelists them. If you see any of these addresses appearing in Wordfence Live Traffic, then you are either getting real visits from your internal network (which is unusual) or you don't have Wordfence configured correctly.

Private IPv4 addresses

CIDR Address Range Number of Addresses Scope Purpose
10.0.0.0/8 10.0.0.0 –
10.255.255.255
16,777,216 private network Used for local communications within a private network as specified by RFC 1918.
127.0.0.0/8 127.0.0.0 –
127.255.255.255
16,777,216 host Used for loopback addresses to the local host, as specified by RFC 990.
172.16.0.0/12 172.16.0.0 –
172.31.255.255
1,048,576 private network Used for local communications within a private network as specified by RFC 1918
192.0.0.0/29 192.0.0.0 –
192.0.0.7
8 private network Used for the DS-Lite transition mechanism as specified by RFC 6333
192.168.0.0/16 192.168.0.0 –
192.168.255.255
65,536 private network Used for local communications within a private network as specified by RFC 1918.